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, Non-local boxes are hypothetical "machines" that give rise to superstrong non- 

local correlations, leading to a stronger violation of Bell/CHSH inequalities than 
^f) , is possible within the framework of quantum mechanics. We show how non-local 

boxes can be used to perform any two-party secure computation. We first construct 
a protocol for bit commitment and then show how to achieve oblivious transfer using 
non-local boxes. Both have been shown to be impossible using quantum mechanics 
alone. 
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1. Introduction 

• 

Consider two parties, Alice (A) and Bob (B), who are not able to communicate but 
have access to physical states that they can use to generate joint correlations. The 
q-i generation of correlation can be regarded as an experiment in which both parties 

decide to measure the state of their system, and the outcomes of their measurements 
are given by random variables. Classical as well as quantum theories put limits 
' on non-local correlations that can be generated between separated sites when no 

communication is available. In particular, both classical and quantum theories do 
not violate the no-signaling condition of special relativity, i.e. the local choice of 
measurements may not lead to observable differences on the other end. The limits 
on the strength of correlations generated in the framework of any classical theory 
(i.e. a theory based on local hidden variables) are known as Bell inegualities (Bell, 
1965). A well-known variant of a Bell inequality is the Clauser, Home, Shimony & 
Holt (1969) (CHSH) inequality, which can be expressed as (van Dam, 2000) 



®b v = x-y)<3. 

x,ye{0,l} 

Here, x £ {0, 1} and y £ {0, 1} denote the choice of Alice's and Bob's measurement, 
a x £ {0, 1} and b v £ {0, 1} the respective binary outcomes, and © addition modulo 
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2. The theory of quantum mechanics allows the violation of this inequality, but 
curiously only up to a maximal value of 2 + \f2 which is known as CireV son's 
bound (Cirel'son, 1980). Since special relativity allows a violation of Cirel'son's 
bound, Popescu & Rohrlich (1994, 1996, 1997) raised the question why nature is not 
more "non-local"? That is, why does quantum mechanics not allow for a stronger 
violation of the CHSH inequality up to the maximal value of 4? To gain more insight 
into this question, they constructed a toy-theory based on so-called non-local boxes. 
Each such box takes inputs x, y <G {0, 1} from Alice and Bob respectively and 
outputs measurement outcomes a x ,b v such that x-y — a x Q)b y . Note that Alice and 
Bob still cannot use this box to transmit any information. However, since for all x 
and y, Pr(a x ®b y = x ■ y) = 1, the above sum equals 4 and thus non-local boxes 
lead to a maximum violation of the CHSH inequality 

In this paper, we investigate the relationship between nonlocality and cryptog- 
raphy. As it has been shown (Lo, 1997; Lo & Chau, 1997, 1998; Mayers, 1996, 
1997), classical as well as quantum mechanics do not allow for the construction of 
unconditionally secure bit commitment and oblivious transfer without additional 
assumptions. Thus it is a fundamental problem to assess whether any theory that 
generates correlations renders these cryptographic primitives possible, while simul- 
taneously preserving the no-signaling constraint of special relativity. Here, we show 
that two parties with access to the primitive of non-local boxes as described above 
are indeed able to perform unconditionally secure bit commitment (BC) as well as 
one-out-of-two oblivious transfer (1-2 OT). 

A bit commitment protocol allows Alice and Bob to perform the following task: 
Alice has chosen a bit b, and wants to convince Bob that her choice is made without 
revealing the actual value of b. Since Bob is inherently mistrustful, Alice sends 
him some piece of evidence that she made up her mind. However, Bob still has 
insufficient information to obtain b. Later on, Alice tells Bob her choice b' and Bob 
verifies that Alice is honest (b' = b) using the piece of evidence from Alice. The 
problem of oblivious transfer was introduced by Rabin (1981). The variant of 1-2 
OT first appeared in a paper by Even, Goldreich and Lempel (Even et al., 1985) 
and also, under a different name, in the well-known paper by Wiesner (1983). 1-2 
OT allows Alice and Bob to solve a seemingly uninteresting problem: Alice has 
two bits so and s\. Bob wants to learn one of them, but does not want to disclose 
to Alice which bit he is interested in. However, Bob should also be restricted to 
learning only one of Alice's inputs. It turns out that given 1-2 OT we can perform 
any kind of two-party secure computation (Kilian, 1988). 

It has been understood for a long time that noisy channels and preshared noisy 
correlations are sufficient to implement secure two-party computations, via 1-2 OT. 
Kilian (2000) has shown that noisy "cryptogates" (primitives with inputs and out- 
puts for each of the two players) can generically be used to implement 1-2 OT. Based 
on the techniques of that paper one would expect that non-local boxes would per- 
mit 1-2 OT, since they provide some intrinsic noise. This is indeed the case, but for 
more subtle reasons, as we shall discuss in the present paper. 

We would also like to draw the reader's attention to the work of van Dam 
(2005, 2000), who shows that access to perfect non-local boxes allows Alice and 
Bob to perform any kind of distributed computation by transmitting only a single 
bit of information. This is even true for slightly less perfect boxes achieving weaker 
correlations (Brassard et al, 2005). 
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(a) Related Work 

Recently Wolf & Wullschlcgcr (2005) suggested that 1-2 OT can be constructed 
using one non-local box alone. However, their version of 1-2 OT implicitly assumes 
that the non-local box acts as a kind of cryptogate: either the box has to wait until 
both players provide their input before it produces output, or its use is timed in the 
sense that the protocol will demand an input at a certain moment, and if a player 
does not supply one, uses a standard input instead (say, 0). Notice that the first 
possibility runs somewhat counter to the spirit of non-local boxes, as it would allow 
signaling by delaying or not delaying an input. Non-local boxes, however, cannot be 
used to signal. That this assumption of synchronous input / usage of the box is vital 
to the result of Wolf and Wullschlcgcr can easily be seen: without this assumption, 
Bob can delay his choice of the selection bit indefinitely by simply deferring his use 
of the non-local box. This makes an important difference in reductions to 1-2 OT. 
Consider for example the standard reduction of OT to 1-2 OT (see Section 2(6) 
for definitions): The sender uses inputs Sfe = b and = with k e# {0, 1}. The 
receiver uses input c € {0, 1}. The players now perform 1-2 OT(so, Si)(c) after which 
the receiver holds s c . Then the sender announces k. If k — c, the receiver succeeds 
in retrieving b and otherwise he learns nothing. This happens with probability 
p = 1/2 and thus we have constructed OT from one instance of 1-2 OT. Clearly, 
this reduction fails if we use 1-2 OT based on the type of boxes suggested in (Wolf & 
Wullschlcgcr, 2005). The receiver simply waits for the announcement of k to retrieve 
b with probability p = 1. This was noticed independently by Gisin, Popescu & Short 
(2005). However, the protocol of Wolf and Wullschleger forms a useful basis for our 
construction of 1-2 OT in Section 4. 

(6) This Work 

Here, we demonstrate how to circumvent the problem of delay and construct 
a protocol for bit commitment and 1-2 OT based on non-local boxes. This shows 
that superstrong non-local correlations in the form of non-local boxes enable us to 
solve cryptographic problems otherwise known to be impossible. Our work therefore 
creates a link between cryptographic problems and the nature of non-locality. In 
particular, our result implies that the no-signaling principle and secure computation 
are compatible in principle. 

(c) Outline 

Notation and definitions are introduced in Section 2. Section 3 presents a pro- 
tocol for bit commitment based on non-local boxes. Finally, in Section 4, we show 
how to obtain 1-2 OT using the same type of boxes. 

2. Preliminaries 

(a) Notation 

Throughout this text, we say "Alice picks x" if Alice chooses x independently 
at random from the uniform distribution over all strings of a certain length. We 
write [n] for {l,...,n}, and y G_r S if y is chosen uniformly at random from 
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S. In addition, we use x ■ y to denote the inner product 5Z f=1 B ij ■ mod 2 
between strings X — X\ ... X yi, and y = yi...y n from {0,1}™. Furthermore, for 
strings x £ {00, 01, 10, 11}* we define | • |n recursively: For the empty word e define 
|e|n = 0. For a, b £ {0, 1} and strings x £ {00,01, 10, 11}* define \abx\u = \x\u + 1 
if ab = 11 and |a6x|n = |x| n otherwise. Informally, for strings x of even length, 
|a:|ii is the number of substrings "11" in x starting at an odd position. 

(6) Model and Definitions 

Throughout this text, we call the participant in a protocol honest if he follows 
the protocol. Since we are only interested in the case of unconditional security, a 
dishonest participant is not restricted in any way. In particular, he may lie about 
his own input, deviate from the protocol, or even abort the protocol completely. 

(i) Non-local Boxes 

A non-local box (NL Box), sometimes also referred to as Popescu-Rohrlich box, 
can be seen as a two-party primitive, generating correlations (Popescu & Rohrlich, 
1994). 

Definition 1. A non-local box (NL Box) is a two-party primitive between Alice and 
Bob, in which Alice can input a bit x £ {0, 1} and obtains an outcome a £ {0, 1} 
and Bob can input y £ {0, 1} and obtains outcome b £ {0, 1} such that the following 
holds: 

• Once Alice inputs x £ {0, 1} ; she instantaneously receives outcome a £ {0, 1}, 

• Once Bob inputs y £ {0, 1}, he instantaneously receives outcome b £ {0, 1} ; 
such that x ■ y — a b. Further, we demand that for all C\, c 2 , c 3 £ {0, 1} 

Pr[a = a\x = c 2 ,y = c 3 ] = Pr[b = a\x = c 2 ,y = c 3 ] = 1/2. 

Observe that the last condition implies that these boxes cannot be used to signal, 
because the outcome of a is independent of x and y and also b is independent 
of x and y. It is worth mentioning that specifying the statistics of the primitive 
as we did, and disregarding the fact that outputs are obtained immediately after 
giving a local input, a non-local box is simply a special bidirectional channel, as 
proposed by Shannon (1960). Of course, in general such channels cannot give an 
output immediately without having both inputs; non-local boxes can, because they 
have no signaling capacity. Observe furthermore that the behaviour described in 
the definition parallels quantum mechanical experiments on entangled states: the 
outcomes are correlated in a way reflecting the measurement settings, but each 
experimenter obtains his outputs immediately. 

Note that both Alice and Bob can wait indefinitely before providing their input 
to the NL Box. Once they use 1 the box, however, they will only obtain an outcome 
in accordance with the condition given above. We say that Alice or Bob delay the 
use of their box, if they wait longer than a given protocol dictates before providing 
their input to the NL Box. 
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(ii) Bit Commitment 

Bit commitment is a well known cryptographic primitive that plays an important 
role in many other cryptographic protocols. It is defined as follows: 

Definition 2. Bit commitment (BC) is a two-party protocol between Alice (the 
committer) and Bob (the verifier), which consists of two stages, the committing and 
the revealing stage, and a final declaration stage in which Bob declares "accept" or 
"reject". The following requirements should hold: 

• (Correctness) If both Alice and Bob are honest, then before the committing 
stage Alice decides on a bit c. Alice 's protocol depends on c and any random- 
ness used. At the revealing stage, Alice reveals to Bob the committed bit c. 
Bob accepts. 

• (Binding) Assume (a possibly dishonest) Alice wants to reveal bit d . Then 
always 

Pv[Bob accepts \ Alice reveals c' = 0] + 
Pr[_Bo6 accepts \ Alice reveals c' — 1] < 1. 

• (Concealing) If Alice is honest, Bob does not learn anything about c before the 
revealing stage. 

We say that Alice cheats if she chooses a bit c' only after the committing stage 
and tries to get Bob to accept c' during the revealing stage. We also say that Alice 
cheats successfully, if Bob accepts the chosen c'. Furthermore, we say that Bob 
cheats if he tries to obtain c before the revealing stage. Bob cheats successfully 
if he obtains the correct c before the revealing stage. Note that our protocol for 
bit commitment is probabilistic and thus achieves statistical security for a security 
parameter n. The sum of acceptance probabilities in the binding condition only 
needs to be smaller than 1 + e n for some < s < 1 . Likewise, the probability that 
Bob correctly guesses bit c before the revealing stage is p < 1/2 + {e') n for some 
< e' < 1. By choosing n large we can get arbitrarily close to the ideal scenario. 

(hi) Oblivious Transfer 

Different versions of oblivious transfer exist in the literature. Here, we will be 
concerned with one of the most simple forms of oblivious transfer, namely 1-2 OT. 

Definition 3. One-out-of-two oblivious transfer (1-2 OT(s , si)(c)) is a two-party 
protocol between Alice (the sender) and Bob (the receiver), such that the following 
holds: 

• ( Correctness) If both Alice and Bob are honest, the protocol depends on Alice's 
two input bits s ,si e {0, 1} and Bob's input bit c £ {0, 1}. At the end of the 
protocol Bob knows s c . 

• (Security against Alice) If Bob is honest, Alice does not learn c. 

• (Security against Bob) If Alice is honest, Bob does not learn anything about 

S 5 . 
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Again, our protocol is probabilistic and achieves statistical security for a security 
parameter n. The probability that Bob learns s s is p < e" for some e < 1. Similarly, 
the probability that Alice correctly guesses c is upper bounded by 1/2 + (e') Tl for 
some < e' < 1. 

As we saw in Section 1(a), the fact that Alice and Bob can wait before using an 
NL Box can have an effect on cryptographic reductions. In our example, we made 
use of the most simple form of oblivious transfer, i.e. an erasure channel. 

Definition 4. Oblivious transfer (OT) is a two-party protocol between Alice (the 
sender) and Bob (the receiver), such that the following holds: 

• ( Correctness) If both Alice and Bob are honest, the protocol depends on Alice's 
input bit b <G {0, 1}. At the end of the protocol, Bob obtains b with probability 
1/2 and knows whether he obtained b or not. 

• (Security against Alice) If Bob is honest, Alice does not learn whether Bob 
obtained b. 

• (Security against Bob) If Alice is honest, Bob's probability of learning bit b 
does not exceed 1/2. 

3. BC from NL Boxes 

We now give a bit commitment protocol based on NL Boxes. Our protocol consists 
of k blocks. In each block the parties use 2n + 1 shared non-local boxes. We later 
fix the security parameter n such that we achieve sufficient security against Bob. 



Protocol 1: l-NLBC(c) One Block 

l-commit(c) 

• Alice wants to commit to bit c. She encodes c into a string x: She chooses 
x € {0, l} 2n+1 by randomly choosing the first 2n bits and then choosing 
X2n+i £ {0, 1} such that \x\ . . . xm\u + X2n+i + c is even. 

• Alice puts the bits xi, xi, • ■ ■ , X2n+i into the boxes 1, 2, . . . , In + 1. Let 
oi, 02, . . . , a2n+i be Alice's output bits from the boxes. 

• Alice computes the parity of all these output bits A = ©;™q 1 ai and sends 
A to Bob. 

• Bob randomly chooses a string y £_r {0, l} 2n + 1 and puts the bits 
3/1,3/2, • • • , 3/2n+i into his boxes. We call the output bits from his boxes 

6l, &2, . . • , &2n + l- 

l-reveal(c) 

• Alice sends c, her string x and all her 2n + 1 output bits to Bob. 

• Bob checks if Alice's data is consistent: Vi £ {0, l} 2n+1 ,Xi ■ t/i = Oj © bj 
and \xi . . . X2n|n + a;2n+i + c is even. If not, he accuses her of cheating. 



Define C(x) to be the bit which is encoded by x. If Alice is honest, C{x) = c. 
It will be clear from our analysis in Section 3(a), that if Alice cheats in one block 
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of the protocol Bob will notice this in the revealing stage with probability 1/4. To 
increase this probability, we can run many rounds of this protocol. 



Protocol 2: NLBC(c) The Full Protocol 

commit(c) 

Alice wants to commit to bit c. Then Alice and Bob run k times l-commit(c) 
of l-NLBC(c). 

reveal(c) 

Alice and Bob run k times l-reveal(c) of l-NLBC(c). 



If Alice and Bob run the full protocol NLBC(c) with k rounds, then the prob- 
ability that Bob catches a cheating Alice becomes larger. In fact, in a k block 
protocol, the probability that Alice can cheat successfully is < (3/4) k . Even though 
Bob learns a little bit about the committed bit c in each block, we show below that 
the amount of information he learns about c can be made arbitrarily small. 

(a) Security against Alice 

Let us first analyze the security against a cheating Alice for one block only. We 
show that no matter which cheating strategy Alice uses, she is always detected with 
probability at least 1/4. There are two cases for Alice's cheating strategy: 

1. She has input something into all her boxes after the committing stage. If she 
wants to reveal a bit different from C(x) (for the originally chosen x), she 
needs to change at least one of her Xi . If she does not change the corresponding 
output bit a, and if Bob had input y i = \ she will be caught. Similarly, 
if she changes ai but Bob had input yi — she will be caught. Because 
Pr[j/i = 1] = Pr[y, = 0] = 1/2 she is detected with probability at least 1/2. 

2. Alice delays her input to some boxes after the committing stage. Without loss 
of generality we can assume that all boxes have inputs before the revealing 
stage. Otherwise, Alice's strategy is equivalent to giving a random input and 
disregarding both input and output. 

Suppose Alice sends bit A' to Bob in the committing stage, pretending it 
was the parity of her aj's. She now wants to reveal. Since the outputs of her 
delayed boxes are completely random to her, with probability 1/2, the parity 
of all di's will be different from A'. Thus, in this case she has to change at 
least one ai. But if = (yi = 1) and Alice does (does not) change Xi, 
she is caught. Thus, Alice's cheating is detected with probability at least 1/4. 
We now show that there is a cheating strategy for Alice, such that she is 
only detected with probability 1/4, if at least 3 boxes are used per block: She 
first sends a random bit A to Bob in the committing stage and does not input 
anything into her boxes. In the revealing stage she chooses x £ {00}{0, l} 2 "^ 1 
with C(x) — c', where d is the bit she wants to reveal. Then she puts the Xj's 
into her boxes. With probability 1/2 the parity of the outputs a, from the 
boxes is equal to A. Then she is lucky and proceeds with the protocol as she 
was supposed to. If not she flips the bits x\ and a\ and then goes on with the 
protocol as normal. Now, the parity of the output bits is indeed equal to the 
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A she sent before and the rr-string still encodes c'. The changes are detected 
by Bob iff y\ = 0. If Bob is honest we have Pr[j/i = 0] = 1/2. Thus, a cheating 
Alice, using the above strategy, is detected by an honest Bob with probability 
1/4. 

Now, assume that Alice and Bob run a /c-block protocol. Note that Alice may 
employ a different strategy (1 or 2, see above) for each block. Assume that Alice 
employs strategy 2 in fc* blocks and that she employs strategy 1 in k — fc* blocks. 
For strategy 1: She commits to 1 in fci blocks and to in k = k — fc* — fci blocks, 
where k\ < k — fc* . Then security against Alice as in Definition 2 follows by proving 
that the following is close to 1: 

Pr[Bob accepts | Alice reveals c' = 0] + Pr[Bob accepts | Alice reveals c' = 1] 

< (l/2) fel (3/4) fe * + (l/2) fe °(3/4) fc * 
= (3/4) fc *(l/2) fco (l + (l/2) fcl - fco ). 

Without loss of generality we can assume fci > fco. Then 1 + (l/2) fcl ~ fco < 2. Thus, 
if fc» > 2 or fco > the last expression is certainly less or equal to 1 . For fc» < 2 and 
fco = the expression is upper bounded by 1 + (l/2) fe_2 , which is in accordance 
with Definition 2. 

(b) Security against Bob 

Let us now analyze the security against a cheating Bob. We first want to prove 
that Bob cannot learn too much in one block. Bob can base his guess for c on 
the output of his boxes and the bit A he receives from Alice. Note that after Bob 
has received the bit A, he learns the inner product of x and y, because: x ■ y — 

©i=l x i ' Hi — a i © bi — A ©j = i bi. 

We want to argue that this is all Bob learns about x (and therefore c). In 
the trivial case y = 2n+1 it is easy to see that Bob learns nothing, because his 
output bits bi are uniformly random and the bit A he receives does not contain 
any information since A = © 4 2 ™ +1 bi. For that reason we will not consider the case 
y = 2n+1 in our further analysis. 

Assume now Bob chooses y € {0, l} 2ll+1 \{0} 2 " +1 . Furthermore, assume that 
Alice and Bob follow the above protocol, but this time Alice docs not commit to a 
bit but rather chooses a uniformly random string x e {0, l} 2 ™+ 1 . First note that 
as above Bob still learns x-y. Since \{x : x ■ y = 1}\ = \{x : x ■ y — 0}|, x-y contains 
exactly one bit of information about x. But also, since the boxes are non-signaling 
and Alice only sends one bit, Bob can learn at most one bit of information about x. 
Therefore, the only thing Bob learns about x is x-y. Since in this changed protocol 
Bob learns precisely x-y, also in the original protocol Bob learns precisely x ■ y and 
nothing else. 

The following lemma can be used to upper bound Bob's information gain in one 
block, by proving that x ■ y (Bob's only information about Alice's commitment) is 
always almost uniformly distributed. 

Lemma 3.1. Assume Alice and Bob execute one block of the protocol with 2n + 1 
NL Boxes, where Bob chooses some y G {0, ij. 2 ™+ 1 \{0} 2 ™+ 1 and Alice commits to 
some c G {0, 1}. Then the probability for x ■ y — c, averaged over all x e C _1 (c) ; 
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obeys 

Pr [x-y = c] -1/2 < l/2" +1 . 

XjC(x)— c 

Proof. We write p c y as a shorthand for Pr x ,C(x)=c[ x 'y — c ] ■ The proof is by induction 
on n. For n = the statement is easily seen to be true. Assume now n > 0. Let 
y\iV2 be the first two bits of y and y' the rest, i.e. y = y\y 2 y' ■ To explain the 
argument, let us for instance look at the case y\y 2 = 01. For any x' £ {0, l} 2n_1 
we have C(x') (x\ ■ y\) {x 2 ■ y 2 ) = C(x\x 2 x') if x\x 2 £ {00, 10, 11} and we have 
C(x') © (xi ■ yi) (x 2 ■ y 2 ) — C{x\x 2 x') if x\x 2 = 01. This observation yields 

pg ly , = Pr[x lX2 £ {00, 10, ll}]p c y , + Pr[x lX2 = 01]p°, = 1/2 + l/4(p c y , - p 5 y ,), 

where we used in the second equality Pr[xix 2 = x\x' 2 \ = 1/4 for any x' x x' 2 and 
p y , +P y i = 1 for y' =/= 2 ™ -1 . By the inductive assumption \p y , — p y , \ < 2~ n+1 and 
thus \pqi v , — 1/2| < 2~( n+1 \ In the other cases for y\y 2 we get 

p c 00y , = Pr[ Xl x 2 £ {00, 10, 01}]^, + Pi[x lX2 = \\\p%, 
Ploy* = Pr[*i£2 G {00, 01, ll}]p c y , + Pi[x lX2 = 10]pJ, 
P ; iw , = Pr[.T l2 ; 2 = 00]^, + Pr[a; ia ; 2 G {01, 10, 

from which the bound follows by the same argument as above. □ 

We now analyze a /c-block protocol, where for simplicity k is even. We only consider 
the case where Alice commits to c = and c = 1 each with probability 1/2. 

Lemma 3.2. Assume Alice and Bob run a k-block protocol in which in each block 
In + 1 boxes are used. Then the probability that Bob can guess the committed bit 
correctly is upper bounded by 1/2 + k/2 n+1 . 

Proof. Let r, be Bob's best guess for c using only x ■ y from the i-th block. Set 
such that 1/2 + e, = Pr[c = n}. By Lemma 3.1, < e < l/2 n+1 . Note that Bob's 
only information about c is r\, . . . , r^. 

Let us think of the process of how is obtained in a way which is easier to 
analyze but equivalent to the original: With probability 1 — 2e^ (a) the bit r 4 is 
chosen randomly from {0, 1} and with probability 2q (b) is set to c. 

By the union bound the probability that at least once during the k blocks case 
(b) occurs is at most JZ i=1 2ti < k/2 n . Thus, with probability at least 1 — k/2 n 
the bits ri , . . . , rfc are completely random. Bob's probability of guessing correctly 
is upper bounded by 1/2(1 - k/2 n ) + k/2 n = 1/2 + k/2 n+1 . □ 

Note that the analysis in Lemma 3.2 is not tight, but sufficient for our purposes. 



4. 1-2 OT from NL Boxes 

We now show how to construct 1-2 OT from NL Boxes. We thereby assume that 
Alice and Bob have access to a secure bit commitment scheme BC as given in Sec- 
tion 3 for sufficiently large k. Our protocol extends the protocol suggested by Wolf & 
Wullschlcger (2005) and uses an idea presented in the context of quantum oblivious 
transfer by Crepeau (1987, 1994) and Crepeau & Kilian (1988). 
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(a) Protocol 

Before presenting the actual protocol, we briefly discuss the intuition behind it. 
The rough idea is that using NL Boxes, we can approximate an erasure channel 
from Alice and Bob: Suppose Alice has input v € {0,1}. She picks y <E_r {0,1}, 
sets r y — v and picks r y G_r {0, 1}. If Alice inputs x = r © n and Bob inputs 
y' £r {0, 1} to an NL Box they will obtain outputs a and b with a © 6 = x ■ y' . If 
Alice now sends m — r © a to Bob, Bob will obtain ry by computing m © b — 
roffia©6 = r ®(ro®ri)y' — ry. He cannot obtain more than one bit of information, 
as he receives only one bit of communication from Alice. Now Alice announces y to 
Bob. If y — y' , Bob received Alice's input bit r y i = v. This happens with probability 
1/2. The only trick we need, is to make sure Bob actually did use the NL Box and 
made his choice of y' before Alice's announcement. To achieve this, bit commitment 
is used in step 2. 



Protocol 3: 1-2 NLOT(s ,si)(c) 
1: For 1 < i < In: 

• Alice picks ro,i,ri,i £r {0, 1}. 

• Bob picks y[ {0, 1}. 

• Alice and Bob use one NL Box with inputs x» = ro,i ©ri,i and y[ respec- 
tively. Alice gets o», Bob b t . 

2: For 1 < i < n: 

• Alice and Bob run commit(j/i),commit(&i),commit(yi +n ),commit(fei +n ), 
where Bob is the sender. 

• Alice picks h £r {0, 1}, and announces it to Bob. 

• Alice and Bob run reveal(^ +fe . n ) and reveal(fe^ +fc . n ), where Bob is the 
sender. 

• Alice checks that Xi + k in ■ y'i+k in = o-i+k in ffi b i+ k in and otherwise aborts 
the protocol. 

• Alice sets ro,i <— r oi+ ^ in , ri,» <— r l i+k -. n and o» <— a i+k -. n . Bob sets 
bi^b i+hn and ^ <- y' i+hn . 

3: For 1 < i < n: 

• Alice sends m» = ro,i © a» to Bob. 

• Bob computes v[ = nii © 6» = r y i ^. 

• Alice picks t/j Gj} {0, 1}, sets = r^,; and announces yt to Bob. 

4: Bob picks Jo, Ji C [n], subject to |Jo| = |Ji| = n/3, Jo fl Ji = and Vi G J c , 
= j/i- He announces Jo, Ji to Alice. 

5: Alice receives Jo, Ji, checks that Jofl Ji = and otherwise aborts the protocol. 
She computes so = so©0 JgJo Vj and si = si©0 JgJl Vj. She announces so,si 
to Bob. 

6: Bob now computes s c = s c © ig 7c 
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(6) Correctness 

We first need to show that if both parties are honest, Bob succeeds in retrieving 
s c with high probability. Note that Bob can retrieve s c , if he can construct a set 
J c C [n] with | J c \ = n/3 where Vi € J c , yi — y[, since only then Vi <E J c , = and 
he can compute 

s c e v\ = s e vj © ^- = s c . 

We are thus interested in the probability of Bob constructing such a set successfully. 
Let Xi be the random variable such that Xi = yi © y[. Note that since Alice and 
Bob choose yi and y[ independently uniformly at random, the random variable 
S n = Y^i=i is binomially distributed. From HoefTding's inequality (Hoeffding, 
1963) we obtain 

Pr(5 n -|>e) <e"^. (4.1) 

Then, 

Pr(Bob gets s c ) = Pr - y' t } > |) 

= i - Pr (#{% = y a < | 

= 1-Pr(^>|) 



- Pr (S n - 
■ 1 - e~T5 



where the last inequality comes from equation (4.1). Thus the probability of Bob 
failing is exponentially small in n. 



(c) Security against Alice 

Suppose that Bob is honest, but Alice tries to learn c. As outlined in Section 2, 
NL Boxes do not allow signaling and therefore Alice learns nothing during step 1 of 
the protocol. Due to the concealing properties of the bit commitment scheme, Alice's 
information gain in step 2 is negligible for a sufficiently large security parameter k. 
Thus the only time she receives information from Bob is during step 4. Note that 
Bob picks y[ independently of yi. Alice has no information on y\. This means that 
the elements of the sets Jo an d Ji are independent of c from Alice's point of view: 
their composition depends only on whether y[ = yi for a given i. Alice thus learns 
nothing from observing the sets Jo and J\. 

Note that Alice gains nothing from trying to delay her own boxes: By delaying 
boxes in the commitment protocol employed in step 2, she will only remain more 
ignorant about Bob's commitment. Furthermore, each round i in step 1 corresponds 
to Alice using an erasure channel with input Vi — r Vii i, because the following two 
conditions are satisfied: step 2 ensures us that Bob uses this channel, and, since Al- 
ice sends yi to Bob during step 3, Bob knows whether he obtained Vi. The situation 
where Alice delays using the boxes is equivalent to using the channel with a ran- 
domly chosen input and gives her no additional advantage. Since we can construct 
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an erasure channel, we thus obtain an 1-2 OT via the above construction (Crepeau, 



Now suppose that Alice is honest, but Bob tries to learn more than s c . We now 
show that Bob can retrieve exactly one of the bits so,si. In particular, we show 
that he cannot compute any function / of so and si which depends on both input 
bits.f 

Because Alice is honest, all Vi are independent. Furthermore, since the sets Jo 
and Ji are disjoint, it follows that r — Q)j£j Vj and r' = ®jeJi v j are independent. 
All Bob receives from Alice is so — so + r and si = si + r'. Thus, in order to 
compute any function / of Sq, S\ which depends on both input bits, Bob needs to 
learn both r and r'. Bob will only obtain r and r 1 and then also learn more than 
one of the bits sq, si, if he succeeds in creating two sets Jo, Ji C [n] with J H J\ = 
and | Jo | = |Ji| = n/3 such that \/i e Jo U Ji,t/j = y[. We are therefore interested 
in the probability that Bob can successfully construct two such sets. 

In order to construct such sets, Bob may try to delay using some of the NL 
Boxes during step 1. This will enable him to wait for the announcement in step 3, 
to force yi = y\ and obtain v Vi with certainty. By assumption, the bit commitment 
scheme is binding for sufficiently large k and thus Bob cannot try to fool Alice by 
breaking the commitment itself. However, he can try to commit to random values 
and escape detection during step 2. In particular, he can choose to be honest in step 
1 for exactly one NL Box in runs i and n + i. Without loss of generality, suppose he 
was honest in run n + i and delayed use of the box in run i. He then commits once 
to the outcome of the honest box, and once to y[ = 1 and a random &, <Er {0, 1}. 
The probability that Alice challenges him on the box he has been honest with 
in step 1 is 1/2. Then he has succeeded to cheat on one of the bits, y\, and will 
obtain v Vi with certainty. However, with probability 1/2 Alice will challenge him 
on the other NL Box. In this case he can escape detection with probability 1/2: 
He announces y[ and hi and hopes that this matches the input of Alice's box. He 
will have committed to the correct &j with probability 1/2 and then he escapes 
detection. Thus the total probability of cheating successfully on one of the bits is 
given by 1/2 + (l/2)(l/2) = 3/4. Let C C [n] with k = |C|, < k < n denote the 
set of indices on which Bob tries to deceive Alice. He will remain undetected with 
probability 



Suppose now, that Bob successfully cheated on k bits. We are then interested in 
bounding the probability of constructing two valid sets if Bob already has k valid 
entries. Note that we now only consider the probability of achieving t/j = y\ for 

f A function / depends on the j-th input argument if there is an input to / such that changing 
the j-th argument changes the value of /. 



1987). 



(d) Security against Bob 



Pr(Bob successfully cheats on k bits) 
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indices i ^ C and then = y-} = (n — fc) — S n -k- For fc < n, 



Pr(Bob gets sq and si) 




If fc = n, Bob will be caught with probability (3/4)™. Thus the probability of Bob 
deceiving Alice can be made arbitrarily small by choosing n large. 

5. Conclusion 

We have shown how to obtain protocols for bit commitment and one-out-of-two 
oblivious transfer given access to non-local boxes. This creates a link between cryp- 
tographic problems, which may appear very artificial, and non-local correlations: If 
such NL Boxes were available in nature, we could implement these cryptographic 
protocols securely which is known to be impossible to achieve using quantum me- 
chanics alone. 

Interestingly, the quantum mechanical impossibility proofs for bit commitment 
and coin tossing (Lo & Chau, 1997, 1998; Mayers, 1996, 1997; Lo, 1997) via the 
so-called EPR- attack are the quantum version of delaying the input. One may want 
to go back to explore why we could circumvent this attack here, and the reason 
seems to be that the NL Box is more like a quantum mechanical entangled state 
together with an encasing experimental setup, which enforces that the particles can 
only be measured separately. In contrast, for the EPR-attack to work, Alice has to 
be able to perform arbitrary collective operations on her qubits. 
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